From 5111f339525766a7d1b08764f769906724e13ca6 Mon Sep 17 00:00:00 2001 From: Urs Schulz <3109602+faulesocke@users.noreply.github.com> Date: Wed, 8 Jan 2025 21:54:03 +0100 Subject: [PATCH] ntpd-rs: Set cap_net_bind_service during daemon startup allows it to run in server mode and listen on port 123 --- srcpkgs/ntpd-rs/INSTALL | 5 ----- srcpkgs/ntpd-rs/files/ntpd-rs/run | 8 +++++++- srcpkgs/ntpd-rs/template | 3 +-- 3 files changed, 8 insertions(+), 8 deletions(-) delete mode 100644 srcpkgs/ntpd-rs/INSTALL diff --git a/srcpkgs/ntpd-rs/INSTALL b/srcpkgs/ntpd-rs/INSTALL deleted file mode 100644 index bb7e53afa9362a..00000000000000 --- a/srcpkgs/ntpd-rs/INSTALL +++ /dev/null @@ -1,5 +0,0 @@ -case "${ACTION}" in -post) - setcap CAP_SYS_TIME=+ep usr/bin/ntp-daemon - ;; -esac diff --git a/srcpkgs/ntpd-rs/files/ntpd-rs/run b/srcpkgs/ntpd-rs/files/ntpd-rs/run index d9b5fdbb6423f0..d1d6a6c9065a30 100644 --- a/srcpkgs/ntpd-rs/files/ntpd-rs/run +++ b/srcpkgs/ntpd-rs/files/ntpd-rs/run @@ -1,4 +1,10 @@ #!/bin/sh exec 2>&1 +[ -r conf ] && . ./conf [ ! -d /run/ntpd-rs ] && mkdir /run/ntpd-rs && chown _ntpd_rs:_ntpd_rs /run/ntpd-rs -exec chpst -u _ntpd_rs:_ntpd_rs ntp-daemon + +exec setpriv --reuid _ntpd_rs --regid _ntpd_rs --clear-groups \ + --ambient-caps -all,+sys_time,+net_bind_service \ + --inh-caps -all,+sys_time,+net_bind_service \ + --bounding-set -all,+sys_time,+net_bind_service \ + --no-new-privs -- ntp-daemon diff --git a/srcpkgs/ntpd-rs/template b/srcpkgs/ntpd-rs/template index a6ba0de08e1d87..653c6d13f78df7 100644 --- a/srcpkgs/ntpd-rs/template +++ b/srcpkgs/ntpd-rs/template @@ -1,7 +1,7 @@ # Template file for 'ntpd-rs' pkgname=ntpd-rs version=1.4.0 -revision=1 +revision=2 build_style=cargo make_check_args="-- --skip daemon::keyexchange::tests::client_connection_refused @@ -9,7 +9,6 @@ make_check_args="-- --skip daemon::keyexchange::tests::key_exchange_weird_packet " make_install_args="--path ntpd" -depends="libcap-progs" short_desc="Full-featured implementation of the Network Time Protocol" maintainer="tranzystorekk " license="Apache-2.0 OR MIT"